ActiveDirSec.Org

The world's most trusted forum on Active Directory Security


Post Info TOPIC: What is more important for Active Directory Security - Audit or Auditing?


Member

Posts: 16
Date: May 25, 2012
What is more important for Active Directory Security - Audit or Auditing?
Permalink  
 


All,

We recently had a re-org, and our new management would like for us to focus our resources on perform frequent IT audits, in addition to our ongoing Active Directory auditing efforts.

By auditing I am referring to the generation of audit events in the audit log when someone performs some delegated tasks in Active Directory, such as creating an account of resetting a password.

By audit, I am referring to performing a security audit of our Active Directory to determine who can actually perform what tasks in our Active Directory.

So one has to do with getting intimation that someone enacted a task, and one has to do with determine who can perform which tasks to begin with.

Thus far, we've mostly been focused on auditing because it helps us investigate a security incident when someone misuses their authority in Active Directory to compromise security.

We're trying to determine if we should allocate additional resources to also perform periodic audits to find out who is capable of enacting these tasks.

The question arises because this takes a lot of effort and time, and so we have to determine if we should be investing a decent amount of time to perform audits. (If it were wasy, it would be a no-brainer, but its not easy, so its we have to give it additional thought.)

I would like to hear your view on this as I am sure some of you may have had to think about this as well. I welcome your thoughts. Thank you.

-J



__________________
Driod Rules!


Veteran Member

Posts: 28
Date: Jun 27, 2012
RE: What is more important for Active Directory Security - Audit or Auditing?
Permalink  
 


Jeremy,

This a very good and a very important question.

As you've pointed out, auditing is important because when a security incident (i.e. something bad) occurs, we need to be able to investigate and find out who enacted the delegated task involved in the security incident.

However, as you'll agree, the fact that a security incident occured means that damage was done, and auditing only helps in trying to catch the perpetrator.

Now, one of the main reasons so much emphasis is laid on auditing, is because no one really knows exactly who has what delegated powers in Active Directory, so no one knows who can do what in Active Directory.

The reason no one knows this is because it is very difficult to audit who is delegated what powers in Active Directory. I'm not referring to who has what access/permissions, I'm referring to what has what effective access/permissions.

If we had the means to audit delegated access in Active Directory, we would all be much be btter off, because at least we'd know that exactly who CAN perform which tasks on which objects.

This knowledge is very valuable, because you would rather be in a position where you know that only 10 people can reset the CEO's password, than be in a position where you have no idea, and are just relying on auditing, should any one of say a 100+ people end up resetting the CEO's password, logging in a him, and compromising security.

So, I think, the ability to be able to perform an Active Directory security audit is far more valuable than the ability to view audit logs to find out who performed some administrative task, because, let's face it, if you're looking at audit logs, chances are, a security incident occured, and thats never good. 

If however, you had the ability to audit delegated access in Active Directory, you would know at any given time exactly who all can reset the CEO's password, so you would be in a much better position to protect Active Directory security and prevent security incidents from happening.

And the last I checked, prevention is always better.

So, I would say that the ability to audit delegated access in Active Directory is at least or more important than the ability to have Active Directory auditing in place.

Sincerely,

Jack.



__________________

We will NEVER forget.



Member

Posts: 16
Date: Jul 20, 2012
RE: What is more important for Active Directory Security - Audit or Auditing?
Permalink  
 


Jack,

You've raised some very good points. Yes, now that I think about it, we all rely on auditing so much mostly because we don't really know exactly who can carry out which tasks in Active Directory.

The thing is that there is no way (that I know of) other than by performing a manual audit, to find out exactly who is delagated what access in Active Directory, so of course most of us have to rely on auditing to at least find out when someone performs some task.

I do however completely agree, that it would be so much better if we knew who can do what to begin with, as that would help us ensure that say, instead for a 100 admins, that only 5 admins can carry out a task, and they're all entitled to it anyway, at which point the value of auditing would reduce a bit, although not go away ever, as it would leave a record.

So I do agree that Active Directory Audits are far more important than auditing, as they can actually help reduce the number of people who could perform some task, as opposed to a situation, where large numbers of people can perform a task, and what we can do at best is get an audit entry generated when someone does perform a task.

I suppose both Active Directory Audit and Active Directory auditing are requally important in that regard. If only there was a way to easily audit delegated access in Active Directory, things would be amost perfect.

(Until then, we'll just have to live with doing Active Directory access audits manually. Its painful and laborious, but so very important.)

Thanks again.

Jeremy.



__________________
Driod Rules!


Veteran Member

Posts: 28
Date: Feb 5, 2013
What is more important for Active Directory Security - Audit or Auditing?
Permalink  
 


Jeremy,

Glad to see that your management has come to understand and appreciate the value and importance of performing Active Direcory access audits. They are indeed very important because they are the only means by which one can ensure that only authorized personnel can carry out privileged actions in our Active Directory deployments.

By the way, not sure if this might be of much help, but now there is a way to easily find out who is delegated what access in Active Directory, especially to audit elevated access in Active Directory.

We use this tool to audit access in our Active Directory deployment, and it takes us less than 30 minutes to audit our entire domain. We've been performing weekly access audits and have been able to detect a large number of unauthorized delegations as well as reduce the number of privileged accounts in our Active Directory.

All in all a good discussion.

- Jack



__________________

We will NEVER forget.

Page 1 of 1  sorted by
Quick Reply

Please log in to post quick replies.

Post to Digg Post to Del.icio.us
Members Login
Username 
 
Password 
    Remember Me